Windows Knowledge Base

[IIS Tutor] Windows Server 2003 Internet mail solution- SMTP Part Two

Configure SMTP Properties
1.General Property
you can specify the IP address and port assignment. You also can limit the number of simultaneous connections, and use an idle timeout setting that will free up stale connections. Plus, you can enable logging. See Picture-8

Picture-8  SMTP Virtual Server General Property
2. On the Access tab, you can specify how people can send email through your virtual server.

Picture-9 SMTP Virtual Server Access Property
Click the Authentication button under the Access control section of the tab. You'll see a screen, called Authentication. Anonymous access to your SMTP server is enabled here by default. In the bottom portion of the box you can specify the method by which non-anonymous users will authenticate. The first option is basic authentication, which negotiates a username and password in clear text between the client and the SMTP server. There's also integrated Windows authentication, which encrypts the username and password and sends it between the client and the server. This uses either the SAM accounts database on the IIS server machine or Windows' built-in integration with Active Directory. Finally, there's SSL authentication, which uses certificates only to establish the identity of a client computer to a server. Either of the latter two options will work if you want credentials to be passed in a secure environment; basic authentication simply passes the credentials over the wire unprotected, leaving an open door for sniffers.

Picture-10  SMTP Authentication
From the Connection Control you can grant or deny access to this resource using IP address or internet domain names.

Picture-11 Connection Control

Important: restricting or allowing access based on a DNS domain name will slow response time considerably and cause processor utilization to increase significantly. because each SMTP request must be accompanied by a reverse lookup on the part of the IIS server.

Next  in the Relay Restrictions you can Grant or deny permissions to relay e-mail through this SMTP virtual server. The difference is that with a relay restriction, you're only saying that these IP address are not allowed to send outgoing mail through this server. With the connection control, you are restricting the ability of a set of addresses to even communicate with the server either to bring mail to the server or to send outgoing mail.

Important: Usually, you add local IP addresses on your site to this list and allow only those addresses to talk. Also, you can specify whether computers that authenticate to the SMTP server can send outgoing email, regardless of whether they appear in the list. This is useful for Internet addresses your clients, as long as they authenticate, still can use the SMTP server even though their address isn't local.

3.SMTP Messages Tab
Once a connection has been opened and the receiving server has acknowledged that it is ready to receive data, messages can be transmitted for delivery. You can use the Messages tab to determine transmission requirements and limits. You can specify policies on the types of messages to accept through the virtual server. You can limit message size in KB, the size of all messages transferred in a particular session in KB, the number of messages allowed in a particular session, and the number of addressees in a message. You also can specify a particular email address to which to send non-delivery reports (those dreaded bounce messages), and a directory to store mail that can't be delivered so that you can examine it for errors later.

Picture-12  SMTP Messages

4. SMTP Delivery

The Delivery tab enables you to set options that relate to the actual transmission of messages to and from your server. You can specify the first three intervals for retrying delivery of a failed message,

and then the interval at which further attempts are tried. You also can set how long the server should try to send a message before sending a notification to the sender, and how long the server should try to send the message before giving up (an "expiration timeout"). Plus, you can set the delay notification and expiration timeout values for messages sent between recipients local to the SMTP server.

The Outbound Security button enables you to edit the settings used in conjunction with transmitting messages to other SMTP servers. You can set the levels of security used between two SMTP servers talking to each other anonymous connections, basic authentication, and integrated Windows authentication, all of which I discussed previously in this section and the option to perform the integrated Windows authentication using TLS encryption, which is very strong and hard to break.

Picture-13 SMTP Outbound Security
Note: You can use integrated Windows authentication only if both servers involved in the transaction are Windows machines. If you are using Unix servers, you need to use basic authentication.

The Outbound connections button enables you to limit the number of outgoing connections from your virtual server, and to set a stale time limit for those connections. You also can restrict the number of connections per SMTP domain to a certain number. Plus, you can specify the port on which outbound SMTP transactions will be made; the default is 25.

Picture-14 SMTP Outbound Connnections

From Avanced Delivery, you can configure more complex settings to customize message transmission. The options include the following:
    - You can set a maximum hop count, which counts the number of times a message is bounced around between SMTP servers, to avoid an interminable message loop. Usually I recommend setting this to 10 or less.
    - You can set the DNS domain name with which all outgoing messages will be sent.
    - You can configure the fully qualified domain name that your SMTP server will masquerade as. This is useful if your server's name is, perhaps, srv101.windowspeople.com. The email address you want the public to see is johnd@windowspeople.com, but according to the SMTP server you are johnd@srv101.windowspeople.com By using the masquerade option, you can simply tell the SMTP server that it is windowspeople.com only and not srv101.windowspeople.com.

  Picture-15 SMTP Advance Delivery
    - You can configure a "smart" host, which is a machine upstream on your Internet connection that relays outgoing messages on behalf of your server. In this case, your SMTP virtual server will toss all outbound messages to the smart host, who then becomes responsible for delivering them. You also can specify that the smart host option should be used only after failing to make a normal delivery.
    - You can configure the server to find the domain name for the IP address of the server from which incoming mail is being transmitted. This can be an extra step to verifying that mail is legitimate and not spam. If the domain name is found via what's called a reverse lookup, it is placed inside the Received portion of the message's header.

5.LDAP Routing

On the LDAP Routing tab, you can instruct the SMTP server to access an LDAP server for more information on senders or recipients listed in messages coming through the server. Enabling LDAP routing automatically configures the SMTP server to access the currently available Active Directory by default if one is present. You also can specify other LDAP servers by supplying their hostnames, schema types, binding types, the account name and password for accessing it, and the naming context.

 

Picture-16 SMTP LDAP Routing

6.Security

ere, you can specify the Windows accounts that should have operator privileges for the SMTP virtual server.